Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

TOP OF THE NEWS

The Changing Landscape of Cyber Threats (June 4, 2008)

Speaking at the Government Forum of Incident Response and Security Teams (GFIRST) conference, Jeanie Larson, program manager of the Incident Management Division at the US Department of Energy, said, "The old perimeter model [of cyber security incident response ] is ineffective." If the absolute number of cyber attacks declines, it doesn't mean that the cyber threat has declined. Instead, people responsible for responding to cyber security incidents need to be on the lookout for targeted attacks. Even one compromised workstation could be a more serious threat than a large number of infections, depending on that workstation's user. One hindrance to addressing emerging cyber threats effectively is the difficulty many government agencies have with sharing information with each other and even within their own organizations. -http://www.federalnewsradio.com/?nid=169&sid=1415201[Editor's Note (Ranum): People keep saying stuff like "The old perimeter model [of cyber security incident response ] is ineffective" but I don't see anyone offering a viable alternative. Isn't that a bit unsettling? I've been in this industry long enough to watch some organizations flip-flop back and forth repeatedly between perimeter and host security approaches. They invariably find that neither, unless it is executed with incredible discipline, works by itself. You can tell a security n00b when they say the perimeter model doesn't work - just ask them "what do you intend to do about DNS and ARP?" If they don't have a good answer (they never do) take away their internet car-keys until they sober up. (Schultz): The lack of information sharing within U.S. government agencies has been a problem over many years. Despite numerous attempts to promote better information sharing, individuals within the government tend to persist in viewing possession of security-related information, especially information about security-related threats and incidents, as power. Accordingly, they withhold information from others.]

A report from McAfee says that the country domain hosting the highest proportion of malicious websites is Honk Kong (.hk) with 19.2 percent of tested websites hosting some type of malware. Following Hong Kong are China (.cn) with 11.8 percent, and the Philippines (.ph) and Romania (.ro). The likelihood of downloading malicious software while web surfing increased 41 percent over last year, according to the report. Among the safest country domains were Finland (.fi), Japan (.jp) and Australia (.au); the .gov domain also had a very low incidence of malicious sites. Of generic top-level domains, .info is still the riskiest - 11.7 percent of .info sites potentially contain malware. -http://www.securityfocus.com/brief/749-http://www.gcn.com/online/vol1_no1/46417-1.html?topic=security&CMP=OTC-RSS-http://www.msnbc.msn.com/id/24966835/

Trend Micro Won't Seek VB100 Certification (June 8 & 9, 2008)

TrendMicro says it will no longer seek VB100 certification for its products. The VB100 certification tests antivirus products against the WildList, a small set of malware signatures, to see if they can detect a small sample of known virus signatures without any false positives. Trend Micro maintains that the most significant Internet threats are no longer viruses, but Trojans and bot software, for which VB100 does not test. Panda has not submitted its products for VB100 certification since 2002. Standards and methods for testing antivirus products have been hot topics for some time; earlier this year, companies that make security software and the laboratories that conduct the testing agreed to create the Anti-Malware Testing and Standards Organization (AMTSO) to develop best practices and standards for testing the products. Virus Bulletin, the company that conducts the VB100 testing, says that a string of passed certifications indicates a well-maintained product. The company says the WildList will evolve to include Trojans. -http://www.securityfocus.com/news/11522-http://www.pcworld.com/businesscenter/article/146833/antivirus_vendors_gripe_that_test_isnt_current.html********************** SPONSORED LINKS *********************************

This article lays out the major US presidential candidates' positions on important technology issues, including net neutrality, broadband availability, H1B visas, privacy and intellectual property. One analyst observes that the current candidates "see the social Internet as another form of broadcast media," but future candidates will need to harness the power of social applications to get in touch with what voters are thinking. -http://www.pcmag.com/print_article2/0,1217,a%253D228276,00.asp

The UK Department for Work and Pensions says it disciplined 20 employees for data security infringements between April 2007 and March 2008. The infringements included "breaches of data-protection requirements" and "inappropriate use of personal or sensitive data." It does not appear that any staff members were dismissed over the incidents. Over the same period of time, HM Revenue & Customs (HMRC) disciplined 192 employees. The two organizations employ roughly the same number of people. -http://www.zdnet.co.uk/misc/print/0,1000000169,39429132-39001093c,00.htm

MALWARE, VULNERABILITIES AND PATCHES

Kaspersky is asking for help in cracking a 1024-bit RSA key used in a Trojan horse variant. The Gpcode Trojan horse program has been used in ransomware attacks over the last two years and encrypts files on infected computers; the attackers demand payment to unlock the files. The key is created by Microsoft Enhanced Cryptographic Provider. Researchers estimate that cracking the key would require millions of computers working for about a year, so they are calling on others to help. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9094818&source=rss_topic17-http://www.theregister.co.uk/2008/06/06/ransomeware_call_to_arms/print.html[Editor's Note (Veltsos and Honan): While up to date anti-virus software will provide protection against this type of attack, timely and up to date backups provide the ultimate defence. A well tested daily backup strategy would go a long way in preventing the need to crack 1024-bit encryption in the first place by having a suitable Recover Point Objective (amount of tolerable data loss). The backups should be encrypted, of course, but this time, you hold the key to your data. (Northcutt): Well, it is interesting, I will spot you, that. They have published two RSA public keys and are asking folks to brainstorm ways to factor the key. -http://www.viruslist.com/en/weblog]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Dubai Development Company Investigating Data for Sale on eBay (June 5, 2008)

MISCELLANEOUS

Australia Launches Threat Alert Service for SMBs (June 9, 2008)

The Australian government has launched an online Internet threat alert service aimed at small and midsize businesses. The service is free and offers advice on security threats and how to mitigate them. Other alert services are tailored more to large companies with professional security resources and expertise, but small businesses lack that sort of support. The service will also alert customers to Australia-focused threats, such as specific phishing schemes. Some believe that ISPs should still do more to protect users from Internet threats. -http://www.zdnetasia.com/news/security/0,39044215,62042374,00.htm

Privacy and consumer advocacy groups in the US and Canada are calling on US legislators to conduct an investigation into a cable television and Internet provider's plan to launch a targeted advertising program. St. Louis, Missouri-based Charter Communications plans to share customers' web search information with NebuAd, a plan Charter maintains will enhance its customers' online experience. There are reports that other ISPs are considering similar schemes. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9094498&source=rss_topic17

Why Security is a Hard Sell (May 26, 2008)

Bruce Schneier makes a strong argument for building security into products rather than pursuing the arduous job of selling security products as add-ons. Schneier says that the reason security products are such a hard sell is exemplified in Prospect Theory, the foundation of modern behavioral economics. In essence, the theory states that people will choose a for-sure smaller gain over a possible larger gain, but will opt for a possible big loss over a certain small loss. Simply put in terms of security products, people are reluctant to make a small investment to protect themselves from a security breach; instead, they are willing to take the chance that they will not be the target of a cyber security incident. Baking security into all products from the start makes selling security a non-issue. -http://www.cio.com/article/print/367913[Editor's Note (Weatherford): Once again, Bruce nails it with a thought-provoking example that will help people re-evaluate and repackage their approach to selling security. ]

UPCOMING SANS WEBCAST SCHEDULE

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Today's business is digital across the board, relying on digital processes, communications, assets, and commerce. This has spawned a massive increase in fraud. We read about it nearly every week, and in almost every case, the problem seems obvious in hindsight. Societe Generale, with $7 billion in trading fraud, is the current poster child. Too often, fraud could have been detected and stopped if only someone noticed the connection between several activities, each of which was fine in isolation. Taken together, however, they paint a picture of fraud.

SMBs need IT security solutions that are easy to adopt and maintain. How are small and medium-size businesses (SMBs) adopting, using, and managing IT security technologies, including security information management (SIM), network security, intrusion prevention, application security, content filtering, and network access control (NAC)? Leading areas of focus for SMB security programs are data security and business continuity, followed by application security and access control to support partners and channels as their business grows. While these issues are not unlike those facing larger enterprises, SMBs must prioritize their security program most carefully to avoid costly pitfalls. Undiscovered security threats that slow down the large enterprise can cause the SMB to close its doors if they are not prepared for risk avoidance. SANS Special Webcast: Endpoint Security: Point- Solution or Protection Platform WHEN: Tuesday, June 24, 2008 at 3:00 PM EDT (1900 UTC/GMT) FEATURING: Stephen Northcutt and Dan Teal -https://www.sans.org/webcasts/show.php?webcastid=91963 Sponsored By: CoreTrace -http://www.coretrace.com/

Join SANS President Stephen Northcutt as he reviews the key features in endpoint security that really matter, how to shop for the best products, and why implementing defense in depth on your organization's endpoint is a best practice.

This webcast will discuss some of the most egregious mistakes made by enterprises and network operators who have suffered costly and/or embarrassing security breaches. =========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/